Re: [pfSense] pfsense/shell ipsec behavior

[Uttam Singh]

OK - figured this part out.

I needed to use "ping -S ..." when pinging a
ipsec-network host from the pf device itself.

Any ideas on how to make this work for iperf in client mode?

Is there any way to specify a "default System IP Address"?

I see that a Virtual IP can only be created for LAN or WAN interface
but not IPSEC interface.

btw - I am running stock 2.0.1 release.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Packages are being installed in the background (pfSense 2.0.1)

[Volker Kuhlmann]

On Fri 24 Feb 2012 21:45:15 NZDT +1300, Jürgen Echter wrote:

> i had to re-setup my firewall and restored my config. all went well
> so far, but i can't edit anything because i have on every screen a
> pic which says 'packages are being reinstalled in the background'.
> this is on since a few hours.

Old thread, but I see this every time I reload a pfsense config. It's
impossible to say when the package relaoding is actually finished, it
shouldn't possibly take as long as it does and it seems the package lock
isn't cleared.

You can go to the backup/restore page, on the bottom is a button to
clear the package lock.

What Iw ould like to know is how to prevent the package reloading after
restoring a config when there are no package changes.

Thanks,

Volker

-- 
Volker Kuhlmann
http://volker.dnsalias.net/ Please do not CC list postings to me.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] run driver crashes

[Volker Kuhlmann]

I obtained a couple of Tenda W322U to use as access points after finding
reports that they work well with pfsense. ralink chipset, run driver.

Initially everything's perfect - plug in, device shows up and can be
configured. Needs an entry in loader.conf.local but hey.

Then the kernel panics - not something I've ever seen with pfsense.
Worse, pfsense goes belly-up on reboot (I pulled the stick out thinking
it might be the cause, which is how I found out about loader.conf)
because of some interface nonsense. I can live without wireless, but
would have expected the rest of pfsense to reboot to working order.

Crash then repeats, always when using the web interface.

I tried this on a different pfsense box, and somewhere on (intentional)
reboot there's another crash, but the system remains running.
Submitted crash report for this event.

Both boxes have been running fine for months/years before, and as it
happens on both, I'm tending to think software error.

Latest stable pfsense 2.0.1-release on both.

When it's not crashing it's running all fine and out of the box.

Is this a known problem?
And... is there a workaround?

Thanks muchly,

Volker

PS Submitted 2 crash reprots from yesterday by uploading them to
/var/crash.

The relevant config part:



run0

11g
hostap
off
myssid
0

99


NZ
indoor


1
3
WPA-PSK
CCMP
60
3600
xxx










10.x.x.x
24


-- 
Volker Kuhlmann
http://volker.dnsalias.net/ Please do not CC list postings to me.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfsense/shell ipsec behavior

[Uttam Singh]

I have a question on VPN/IPSEC behavior and looking for insight here.

In my setup, I have 2 networks connected via ipsec.

192.168.0.0/24 pf ---internetcisco/linksys-192.168.10.0/24

+ All traffic between hosts on 192.168.0.0/24 and 192.168.10.0/24 works fine.
+ pf is setup as default gateway (192.168.0.1)

* From pf/shell, I am not able to ping any address on 192.168.10.0/24 network
* This is not limited to ping, pf also fails with "iperf -c" when
server is on 192.168.10.0/24 network

Looking for ideas on how to debug this.

I have verified that pf does not send any ICMP packets when I initiate
ping from shell (from netstat -I enc0).

pf processes all incoming traffic to 192.168.0.1 from 192.168.10.0/24
just fine. I can ping, reach httpd etc.

thanks,

-Uttam
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can anyone please tell me the step by step to integrate Freeradiuse to authenticate users from Window Active directory?

[Abdullah Nihan]

*"Windows RADIUS server with captive portal*"  Can you tell me or can you
please direct me to good guide to setup Win Radius with Captive Portal.

Cris Thanks for your answer!



On 26 April 2012 13:49, Chris Buechler  wrote:

>
>
> On Thu, Apr 26, 2012 at 3:12 AM, Abdullah Nihan  wrote:
>
>> Which means its simply not possible to use Free-radius on Pf-sense in a
>> windows AD environment. Right?
>> Reason I wanted to use Pf-sense Captive portal is that its way too cooler
>> than windows IIS & Radius!
>>
>
> You can use Windows RADIUS server with captive portal. Has nothing to do
> with IIS. If you want to authenticate CP to AD, do it that way. Whether you
> can integrate FreeRADIUS with AD, I don't know, but I wouldn't even think
> about doing so. Unnecessary complexity and additional setup time if it's
> even feasible.
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [pfsense] dansguardian

[k_o_l]

Firewall: NAT: Port Forward:

 

Interface: LAN

Protocol: TCP

Destination: ANY

Destination port range: from http to http

Redirect target ip: 127.0.0.1

Redirect target port : other 8080

 

Make sure it showing under the LAN segment in the correct order

 

 

From: Ryan Rodrigue [mailto:radiote...@aaremail.com] 
Sent: Thursday, April 26, 2012 8:09 PM
To: k_...@hotmail.com; 'pfSense support and discussion'
Subject: RE: [pfSense] [pfsense] dansguardian

 

 

 

>>This is excellent Ryan, how about the nat/firewall rules?

 

 

 

 

Nothing special.  Like I said.  It really just works.

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [pfsense] dansguardian

[Ryan Rodrigue]

 

Ryan, your solution worked just fine, but in addition I added a fw rule to
catch all http (port 80) traffic and had it redirected to 8080, that way you
don't need to change the proxy on the individual hosts

 

 

K_o_l

How and where did you add such a rule?  I would like it to work in
transparent mode.  I am mainly just playing with it right now.  It is not in
production yet.

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] incoming load balancer docs notes

[Jim Pingle]

On 4/27/2012 11:44 AM, Vick Khera wrote:
> Reading http://doc.pfsense.org/index.php/Inbound_Load_Balancing
> 
> I find a couple of issues, which seem to be changes in 2.0.
> 
> 1) the default probe is 10 seconds, not 5.  There is no way to tweak that.

There is in 2.1

> 2) there is no "sticky" option

System > Advanced, Misc tab. Though last I heard it still wasn't working
properly.

> The commentary about 1.2 implementation using NAT and issues with
> reflection seem to still hold true for 2.0.
> 
> There appears to be a delay between saving changes to the pool and
> when it starts responding.  I'm testing on an ALIX system so it may
> just be due to the slowness of this box.

I think there are some changes that aren't triggering a full reload of
relayd when it needs to. I fixed some of that for 2.0.1 but there may
still be some other cases out there. You can go to Status > Services and
restart relayd to be sure.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [pfsense] dansguardian

[k_o_l]

Ryan, your solution worked just fine, but in addition I added a fw rule to
catch all http (port 80) traffic and had it redirected to 8080, that way you
don't need to change the proxy on the individual hosts

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Ryan Rodrigue
Sent: Thursday, April 26, 2012 6:40 PM
To: 'pfSense support and discussion'
Subject: Re: [pfSense] [pfsense] dansguardian

 

That's funny.  It deleted all of the values.  I cleaned it up a little and
put the correct values in red

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Ryan Rodrigue
Sent: Thursday, April 26, 2012 5:24 PM
To: 'pfSense support and discussion'
Subject: Re: [pfSense] [pfsense] dansguardian

 

Mine is up and running, but I have to manually put the dansguardian port in
the web browser as a proxy server.  I do not have it working for transparent
squid

As you can see, most of the settings are default.

These are the Dansguardian settings. (I hope you can read this).

Daemon

Listening Settings
Enable dansguardian 
I agree with dansguardian Terms and Conditions.
   - Checked

 

Listen Interface(s) 
LAN/loopback 

 


Listen port 
8080

 



Daemon Options.  softrestart

 

 

Min/Max Children 
8/120

 

 


Min/Max Spare Children 
4/32

 

Prefork Children 

8

 

Max Age Children

500


Max Ips 
 0
Parent proxy Settings

 


Proxy IP 
127.0.0.1

 


Proxy Port 
3128

 

General

Config Settings
Auth Plugins 

Proxy-Basic

 


Scan Options 

All with on in ()

 


Weighted phrase mode 

Singular = each weighted phrase found only counts once on a page


Lower casing options 

Force lover case

 


Phrase filter mode 

Use both


Url cache number 

blank

 


Url cache age 

blank


SSL man in the middle Filtering
CA 

none

 

Cert 
webconfigurator default

 

Content Scanner


Content Scanners (antivirus) 

None


freshclam frequency 
Every day

 


Content scanner timeout 
60

 


Content scan exceptions 
No Check


ICAP URL 
Blank

 


Misc Options 
Misc options. 

None

 

 

 

 

 

In squid from top to bottom I have selected (squid won't paiste for some
reason)

 

Proxy Interface: LAN and Loopback

Allow users = checked

Blank until Enable Logging

Enable logging = checked

Log store = /var/squid/logs

Log rotate = 90

Proxy port = 3128

ICP port = (blank)

Visible hostname = localhost

Anministrator email = admin@localhost

Language = English

X-Forward = no check

Disable Via = no check

Strip

The rest is blank

 

 

Upstream Proxy is totally blank and I am using no authentication for now.

 

 

This may not be the best settings.  If anyone has any suggestion, please let
me know.  I always look for ways to do things better.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] incoming load balancer docs notes

[Vick Khera]

Reading http://doc.pfsense.org/index.php/Inbound_Load_Balancing

I find a couple of issues, which seem to be changes in 2.0.

1) the default probe is 10 seconds, not 5.  There is no way to tweak that.
2) there is no "sticky" option

The commentary about 1.2 implementation using NAT and issues with
reflection seem to still hold true for 2.0.

There appears to be a delay between saving changes to the pool and
when it starts responding.  I'm testing on an ALIX system so it may
just be due to the slowness of this box.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] s related to tinydns

[Ray]

Hi there,

when I fire up svscan on one of my pfsense 2.0.1 boxes, it starts 
"supervise tinydns" processes. These supervise processes spawn plenty of 
processes that end up as zombies, each of which dies some seconds. I.e., 
I have a block of 5-6 s traversing my process list. 
Constantly. The TinyDNS log in the Web UI looks fine.


I actually did a ls -ltr /var/log to see whether anything about the 
zombies is written to any of the log files. However, there is nothing.


Is there a way to find out what is going wrong?

TinyDNS appears to be running and respondign ok:

[2.0.1-RELEASE][r...@secgw.pfaf.intra.rsd.ch]/root(173): dig @127.0.0.1 
mach.pfaf.intra.rsd.ch


; <<>> DiG 9.6.2-P2 <<>> @127.0.0.1 mach.pfaf.intra.rsd.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3323
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mach.pfaf.intra.rsd.ch.IN  A

;; ANSWER SECTION:
mach.pfaf.intra.rsd.ch. 86400 INA   192.168.10.196

;; AUTHORITY SECTION:
pfaf.intra.rsd.ch. 259200 INNS  ns.pfaf.intra.rsd.ch.

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 27 14:08:14 2012
;; MSG SIZE  rcvd: 80



I am coming from BIND9, so I've been spoilt with working CNAMEs. 
Somehow TinyDNS appears to have serious trouble with those:


[2.0.1-RELEASE][r...@secgw.pfaf.intra.rsd.ch]/root(175): dig @127.0.0.1 
ns.pfaf.intra.rsd.ch


; <<>> DiG 9.6.2-P2 <<>> @127.0.0.1 ns.pfaf.intra.rsd.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32225
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns.pfaf.intra.rsd.ch.  IN  A

;; ANSWER SECTION:
ns.pfaf.intra.rsd.ch. 86400 IN  CNAME   secgw.pfaf.intra.rsd.ch.

;; AUTHORITY SECTION:
pfaf.intra.rsd.ch. 259200 INNS  ns.pfaf.intra.rsd.ch.

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 27 14:11:39 2012
;; MSG SIZE  rcvd: 79


There's an answer to go and check out secgw.pfaf.intra.rsd.ch., but 
it's simply not working:


[2.0.1-RELEASE][r...@secgw.pfaf.intra.rsd.ch]/root(176): ping 
ns.pfaf.intra.rsd.ch

ping: cannot resolve ns.pfaf.intra.rsd.ch: Unknown server error

Here's my zone file as it is shown in the Web UI. Is there some obvious 
mistake that I'm not awar of?:


Record Name Record Type rDNSRecord Data
pfaf.intra.rsd.ch   SOA ns.pfaf.intra.rsd.ch.
jupiter.pfaf.intra.rsd.ch   A   on  192.168.10.199
phatmac.pfaf.intra.rsd.ch   A   on  192.168.10.198
pfaf.intra.rsd.ch   MX  mail.rsd.ch.
smack.pfaf.intra.rsd.ch A   on  192.168.10.197
mach.pfaf.intra.rsd.ch  A   on  192.168.10.196
micro.pfaf.intra.rsd.ch A   on  192.168.10.195
nano.pfaf.intra.rsd.ch  A   on  192.168.10.194
dlink-ap1.pfaf.intra.rsd.ch A   on  192.168.10.249
dlink-ap2.pfaf.intra.rsd.ch A   on  192.168.10.248
lp1.pfaf.intra.rsd.ch   A   on  192.168.10.229
kvm1.pfaf.intra.rsd.ch  A   on  192.168.10.10
hpsw1.pfaf.intra.rsd.ch A   on  192.168.10.9
ats1.pfaf.intra.rsd.ch  A   on  192.168.10.3
pdu1.pfaf.intra.rsd.ch  A   on  192.168.10.1
pdu2.pfaf.intra.rsd.ch  A   on  192.168.10.2
secgw.pfaf.intra.rsd.ch A   on  192.168.10.254
ns.pfaf.intra.rsd.chCNAME   secgw.pfaf.intra.rsd.ch.

I've checked the TinyDNS documentation. There, one can read :"Don't use 
Cfqdn if there are any other records for fqdn. Don't use Cfqdn for 
common aliases; use +fqdn instead. Remember the wise words of Inigo 
Montoya: ``You keep using CNAME records. I do not think they mean what 
you think they mean.'' ".   Honestly, I don't get it. What's so special 
about CANMEs on TinyDNS. I just see them as the equivalent of a Symbolic 
Link in Linux. Am I too naive about this?





On another matter: I've sent a question concerning DNS and pfSense two 
days ago (Title: "DNS internal, caching external & forwarding requests 
to upstream servers. What's the best practice on pfsense 2.0.1?") to 
which I got not a single response. I keep wondering why? Was the 
question stupid? Or should I have sent it elsewhere?: (TinyDNS Forum for 
instance). Or is no one here using a DNS server on pfSense? Too much 
jargon or not enough of it? Break of some netiquette rule that I'm not 
awar of? Please, give me a pointer here and I'll try to improve!



Cheers,
Ray


___
List mailing list

Re: [pfSense] Compex WLM54SAGP23 (Atheros 5413), ALIX 2D3 & pfSense 2?

[Pete Boyd]

On 27/04/12 11:00, bsd wrote:
>> I've been using the above miniPCI card in an Alix board for over a
>> year now - entirely trouble free.

Great. Thanks.

-- 
Pete Boyd

thegoldenear.org
openplanit.co.uk

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Compex WLM54SAGP23 (Atheros 5413), ALIX 2D3 & pfSense 2?

[bsd]

Le 26 avr. 2012 à 21:40, Pete Boyd a écrit :

> Hi. I'm choosing a miniPCI wireless card from www.msdist.co.uk to go in
> an ALIX 2D3. The only cards there that appear to be supported  by
> FreeBSD 8.1 are the Wistron DCMA81 (Atheros AR5213A), Wistron CM9-GP
> (Atheros AR5213A) and the Compex WLM54SAGP23 (Atheros 5413).
> 
> I'd just like to check if people have successfully used the Compex
> WLM54SAGP23 (Atheros 5413) in a wireless access point (host AP) setup
> with pfSense 2.0.1?
> 
> Thanks
> 
> -- 
> Pete Boyd
> 
> thegoldenear.org
> openplanit.co.uk
> 
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

Looks like It is ok… 

I found a message on the pfSense forum the 28th of february : 


> Subject : Compex WLM54SAG23 (AR5414): Clone and parallel use of a g dual ban


> Hi,
> 
> I've been using the above miniPCI card in an Alix board for over a year now - 
> entirely trouble free. Now I plan to set up a second SSID (Guest WiFi) that 
> can only access WAN. I have seen that I can clone the WLAN interface in 
> pfSense 2.01 but my ha...



––
-> Grégory Bernard Director <-
---> www.osnet.eu <---
--> Your provider of OpenSource appliances <--
––
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list